<p>Using cookies is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11639">CVE-2018-11639</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6537">CVE-2016-6537</a> </li>
</ul>
<p>Attackers can use widely-available tools to read cookies. Any sensitive information they may contain will be exposed.</p>
<p>This rule flags code that writes cookies.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> sensitive information is stored inside the cookie. </li>
</ul>
<p>You are at risk if you answered yes to this question.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Cookies should only be used to manage the user session. The best practice is to keep all user-related information server-side and link them to the
user session, never sending them to the client. In a very few corner cases, cookies can be used for non-sensitive information that need to live longer
than the user session.</p>
<p>Do not try to encode sensitive information in a non human-readable format before writing them in a cookie. The encoding can be reverted and the
original information will be exposed.</p>
<p>Using cookies only for session IDs doesn't make them secure. Follow <a
href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies">OWASP best practices</a> when you configure your cookies.</p>
<p>As a side note, every information read from a cookie should be <a
href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitized</a>.</p>
<h2>Sensitive Code Example</h2>
<pre>
// === javax.servlet ===
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;

public class JavaxServlet {
    void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
        Cookie cookie = new Cookie("userAccountID", acctID);  // Sensitive
        response.addCookie(cookie);  // Sensitive
    }
}
</pre>
<pre>
// === javax.ws ===
import java.util.Date;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;

class JavaxWs {
    void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
            String value, String path, String domain, int version) {
        Cookie cookie= new Cookie("name", "value");  // Sensitive

        new NewCookie(cookie);  // Sensitive
        new NewCookie(cookie, comment, maxAge, secure);  // Sensitive
        new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
        new NewCookie(name, value);  // Sensitive
        new NewCookie(name, value, path, domain, version, comment, maxAge, secure);  // Sensitive
        new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly);  // Sensitive
        new NewCookie(name, value, path, domain, comment, maxAge, secure);  // Sensitive
        new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly);  // Sensitive
    }
}
</pre>
<pre>
// === java.net ===
import java.net.HttpCookie;

class JavaNet {
    void httpCookie(HttpCookie hc) {
        HttpCookie cookie = new HttpCookie("name", "value");  // Sensitive
        cookie.setValue("value");  // Sensitive
    }
}
</pre>
<pre>
// === apache.shiro ===
import org.apache.shiro.web.servlet.SimpleCookie;

class ApacheShiro {

    void shiroCookie(SimpleCookie cookie) {
        SimpleCookie sc = new SimpleCookie(cookie);  // Sensitive
        cookie.setValue("value");  // Sensitive
    }
}
</pre>
<pre>
// === Play ===
import play.mvc.Http.Cookie;
import play.mvc.Http.CookieBuilder;


class Play {
    void playCookie() {
        CookieBuilder builder = Cookie.builder("name", "value");  // Sensitive
        builder.withName("name")
          .withValue("value")  // Sensitive
          .build();

    }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
  </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/312.html">MITRE, CWE-312</a> - Cleartext Storage of Sensitive Information </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/315.html">MITRE, CWE-315</a> - Cleartext Storage of Sensitive Information in a Cookie </li>
  <li> <a href="https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side">CERT,
  FIO52-J.</a> - Do not store unencrypted sensitive information on the client side </li>
  <li> Derived from FindSecBugs rule <a href="https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE">COOKIE_USAGE</a> </li>
</ul>

